<?php
namespace Admin\Controller;
use \Admin\Model\LoginModel;
include "./Common/CC.php";
//include "./Common/CheckAdmin.php";
//这里不能加鉴权代码，因为用户从admin.php进入登陆页面后的会话会被销毁，而这里鉴权会进入死循环
final class LoginController{
	//加载页面的方法
	public function login(){
		//判断来源。
		//$_SERVER['HTTP_REFERER']是判断访问这个页面上个页面的地址。
		//$_SERVER['HTTP_HOST']是主机名
		if($_SERVER['HTTP_REFERER']=='http://'.$_SERVER['HTTP_HOST'].'/admin.php'){
			//开始session
			session_start();
			//删除
			session_unset();
			//注销
			session_destroy();
			echo "<script>location.herf='./';</script>";
		}
		//加载登录页面
		include VIEW_PATH."admin_login.html";
	}
	
	//提交登录动作的方法
	public function sublogin(){
		session_start();
		$user = $_POST['username'];
		$pass = $_POST['password'];
		//过滤账号密码
		$user = self::filterWords($user);
		$pass = self::filterWords($pass);
		//密码md5
		$md5pass = md5($pass);
		
		$loginModelObj = new LoginModel();
		
		//开始进行账号密码正确性判断
		$login = $loginModelObj -> login($user,$md5pass);
		if(!$login){
			echo "<script>alert('用户名或密码错误，请重新输入');history.go(-1);</script>";
		}
		else{
			//从数据库中查询该条记录
			$query = $loginModelObj -> query($user);
			$_SESSION['admin_id'] = $query['admin_id'];
			$_SESSION['admin_acc'] = $query['admin_acc'];
			echo "<script>alert('登陆成功');location='/admin.php';</script>";
		}
	}
	
	//过滤字符串中敏感字符的方法
	static public function filterWords($str){
		$farr = array(
				"/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU",
				"/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU",
				"/select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dump/is"
		);
		$str = preg_replace($farr,'',$str);
		return $str;
	}

}
?>